Valve has commented on a reported Steam data breach wherein details of 89 million user accounts were said to have leaked online. The company said the reported leak did not breach Steam systems, but it was investigating the source of the leak. Valve further confirmed that the leaked data did not associate users’ phone numbers with a Steam account, password information, payment information or other personal data. Steam users don’t need to change their passwords or phone numbers as a result of this breach, the company said.
Steam Account Data Reportedly Leaked
Earlier this week, reports of a major Steam data breach surfaced online after a LinkedIn user claimed to have found a malicious actor offering data of over 89 million Steam accounts for a fee of $5,000 on a popular dark web forum.
Based on the original claim, X user @MellowOnline1, who owns Steam user advocacy group ‘Sentinals of the Store’, shared an update on the breach earlier this week, saying the leak likely originated outside of Steam. According to the user, leaked data included real-time SMS logs used in two-factor authentication (2FA) for Steam accounts, which would point the finger at a third-party vendor used by Valve.
Update: An update suggests that the alleged Steam data breach is not a direct breach of Steam itself, but rather a supply chain compromise — meaning an external service that Steam relies on was targeted.
Here’s what we understand from this update:
New evidence confirms some…
— Mellow_Online1 (@MellowOnline1) May 11, 2025
Valve Says Steam Systems Safe
In a post on Thursday, Valve acknowledged the leak but confirmed Steam’s systems were not breached.
“You may have seen reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems,” the company said.
“We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.”
As per Valve, the leak included older text messages consisting of one-time codes valid for 15-minute windows and the phone numbers they were sent to.
“The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages,” Valve assured Steam users.
As such, users do not need to change their Steam passwords or associated phone numbers. Valve, however, urged Steam users to treat any account security messages that they didn’t explicitly request as suspicious and regularly check their account security on the platform.
Valve also recommended users to set up the Steam Mobile Authenticator for a more secure way to receive messages about their account and its safety.